IE 0-day using .hlp files

Published: 2010-03-01
Last Updated: 2010-03-02 15:15:39 UTC
by Mark Hofman (Version: 2)
3 comment(s)

A POC has been posted which outlines how to use VBScript in a .HLP file to invoke winhlp32.exe in Windows 2000, Windows XP SP2, SP3 & Windows 2003 SP2. A malicious page is needed to trick the user into pressing the F1 button which invokes the help function,arbitrary commands can then be executed. The attack works in IE 6, 7, & 8. 

A work around is to disable active scripting in Internet Explorer.  A second work around is to change the permission on winhlp32.exe  as shown in the advisory.

Microsoft has posted an advisory  here

Whilst we haven't seen any attacks based on this just yet, if you do please let us know. 


(Thanks David & Pholder)


3 comment(s)
Diary Archives